doc魔盾安全分析报告 文件详细信息 特征
download 
Report Transcription
魔盾安全分析报告 文件详细信息 特征
魔盾安全分析报告 分析类型 开始时间 结束时间 持续时间 分析引擎版本 FILE 2016-05-17 13:14:09 2016-05-17 13:16:46 157 秒 1.4-Maldun 虚拟机机器名 标签 虚拟机管理 开机时间 关机时间 win7-sp1-x64-1 win7-sp1-x64-1 KVM 2016-05-17 13:14:09 2016-05-17 13:16:46 魔盾分数 10.0 Zegost 文件详细信息 文件名 server.exe 文件大小 159288 字节 文件类型 PE32 executable (GUI) Intel 80386, for MS Windows CRC32 76812114 MD5 fa4955c02390830b26e82cbae5ed66f6 SHA1 68b964e340cb29fb8c94e12a7bf0265e1085d581 SHA256 e110990a7f629e6c0f77ce1909a9ec0a9978f58f754975619bcdaa62b72c29c5 SHA512 4ed0663068126c941ee2eee363abd71520611e62f80bd806634207f3fce099f4046a961161f16877f78b094f72780a339ced3af44a02ca96deef26f572ea8207 Ssdeep 3072:AfPh6t5HWqv0yxmktUXoqRA8F2CfOgiI121a+FA:OE0AmktUXTFF2EOgV121j PEiD 无匹配 Yara 无Yara规则匹配 VirusTotal VirusTotal链接 VirusTotal扫描时间: 2016-05-16 12:49:51 扫描结果: 46/57 特征 提供一个Authenticode数字签名 md5_fingerprint: 242913a2a31bad3bc7f08e547e0bbfad sha1_fingerprint: 2fdd445591cd2eedbef8b8a281896a59c08b3dc9 sn: 150788145857946049648934408799086261262 cn: Tencent Technology(Shenzhen) Company Limited 投放出一个二进制文件并执行它 binary: C:\ProgramData\Microsoft\Mxzwq\kvrjlf.exe 发起了一些HTTP请求 url: http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D url: http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEHFwvZPPPxia5kUrUUxJNA4%3D url: http://csc3-2010-crl.verisign.com/CSC3-2010.crl 强制将一个创建的进程加载为另一个不相关进程的子进程 从磁盘上删除自身的原始二进制 将自己装载到Windows开机自动启动项目 service name: Ghijkl Nopqrstu Wxy service path: C:\ProgramData\Microsoft\Mxzwq\kvrjlf.exe 文件已被至少十个VirusTotal上的反病毒引擎检测为病毒 Bkav: W32.Clodd94.Trojan.729b MicroWorld-eScan: Gen:Variant.Symmi.49705 CAT-QuickHeal: Backdoor.Zegost.018629 ALYac: Gen:Variant.Symmi.49705 Zillya: Backdoor.Zegost.Win32.3529 TheHacker: Trojan/Farfli.boa K7GW: Riskware ( 0040eff71 ) K7AntiVirus: Riskware ( 0040eff71 ) Baidu: Win32.Trojan.WisdomEyes.151026.9950.9982 Cyren: W32/Trojan.EVTB-7767 ESET-NOD32: Win32/Farfli.BOA TrendMicro-HouseCall: BKDR_ZEGOST.SM01 Avast: Win32:Malware-gen GData: Gen:Variant.Symmi.49705 Kaspersky: Backdoor.Win32.Zegost.dgrp BitDefender: Gen:Variant.Symmi.49705 NANO-Antivirus: Trojan.Win32.Zegost.dqwfmx AegisLab: Backdoor.W32.Zegost!c Tencent: Win32.Trojan.Falsesign.Ednl Ad-Aware: Gen:Variant.Symmi.49705 Emsisoft: Gen:Variant.Symmi.49705 (B) Comodo: TrojWare.Win32.Farfli.LK F-Secure: Gen:Variant.Symmi.49705 DrWeb: Trojan.DownLoader12.63145 VIPRE: Trojan.Win32.Generic!BT TrendMicro: BKDR_ZEGOST.SM01 McAfee-GW-Edition: GenericR-DZQ!FA4955C02390 Sophos: Troj/Zegost-GO F-Prot: W32/Trojan2.OPOR Jiangmin: Backdoor/Zegost.cqo Avira: TR/Crypt.XPACK.Gen7 Antiy-AVL: Trojan[Backdoor]/Win32.Zegost.dgrp Arcabit: Trojan.Symmi.DC229 Microsoft: Backdoor:Win32/Zegost.BW AhnLab-V3: Backdoor/Win32.Agent McAfee: GenericR-DZQ!FA4955C02390 AVware: Trojan.Win32.Generic!BT VBA32: Backdoor.Zegost Baidu-International: Backdoor.Win32.Zegost.dgrp Rising: Backdoor.Zegost!8.177-5HcJEr5OzXH (Cloud) Yandex: Backdoor.Zegost!a7VM0k0YXN8 Ikarus: Trojan.Win32.Farfli Fortinet: W32/Farfli.BBB!tr AVG: BackDoor.Generic18.CBEX Panda: Trj/CI.A Qihoo-360: Backdoor.Win32.Gh0st.KS 生成一个自己的复制文件 copy: C:\ProgramData\Microsoft\Mxzwq\kvrjlf.exe 运行截图 网络分析 访问主机记录 直接访问 IP地址 国家名 否 23.44.155.27 United States 否 23.44.149.163 United States 域名解析 域名 响应 ocsp.verisign.com CNAME ocsp-ds.ws.symantec.com.edgekey.net CNAME e8218.dscb1.akamaiedge.net A 23.44.155.27 csc3-2010-crl.verisign.com A 23.44.149.163 CNAME e6845.dscb1.akamaiedge.net CNAME crl-ds.ws.symantec.com.edgekey.net TCP连接 IP地址 端口 23.44.149.163 80 23.44.155.27 80 UDP连接 IP地址 端口 192.168.122.1 53 192.168.122.1 53 192.168.122.1 53 192.168.122.255 138 HTTP请求 URL http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D HTTP 数据 GE T/ MF Ew Tz BN ME sw ST AJB gU rD gM CG gU AB BS 56 bK HA oU D% 2B Oyl %2 B0 Lh Pg 9Jx yQ m4 gQ Uf 9Nl p8 Ld 7L vw MA nz Qz n6 Aq 8z MT MC EFI A5 aol Vv wa hu 2W yd RL M8 c% 3D HT TP/ 1.1 Co nn ect ion :K ee p-A liv e Ac ce pt: */* Us erAg ent :M icr os oft -Cr ypt oA PI/ 6.1 Ho st: ocs p.v eri sig n.c om http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEHFwvZPPPxia5kUrUUxJNA4%3D GE T/ MF Ew Tz BN ME sw ST AJB gU rD gM CG gU AB BT Sq ZM G5 M8 TA 9rd zk bC nN wu MA d5 Vg QU z5 mp 6n sm 9E vJj o% 2F X8 AU m7 %2 BP Sp 50 CE HF wv ZP PP xia 5k Ur UU xJN A4 %3 D HT TP/ 1.1 Co nn ect ion :K ee p-A liv e Ac ce pt: */* Us erAg ent :M icr os oft -Cr ypt oA PI/ 6.1 Ho st: ocs p.v eri sig n.c om http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEHFwvZPPPxia5kUrUUxJNA4%3D GE T/ MF Ew Tz BN ME sw ST AJB gU rD gM CG gU AB BT Sq ZM G5 M8 TA 9rd zk bC nN wu MA d5 Vg QU z5 mp 6n sm 9E vJj o% 2F X8 AU m7 %2 BP Sp 50 CE HF wv ZP PP xia 5k Ur UU xJN A4 %3 D HT TP/ 1.1 Ca ch e-C ont rol: no -ca ch e Co nn ect ion :K ee p-A liv e Pra gm a: nocac he Ac ce pt: */* Us erAg ent :M icr os oft -Cr ypt oA PI/ 6.1 Ho st: ocs p.v eri sig n.c om http://csc3-2010-crl.verisign.com/CSC3-2010.crl GE T/ CS C320 10. crl HT TP/ 1.1 Co nn ect ion :K ee p-A liv e Ac ce pt: */* Us erAg ent :M icr os oft -Cr ypt oA PI/ 6.1 Ho st: csc 3-2 01 0-c rl.v eri sig n.c om 静态分析 PE 信息 初始地址 0x00400000 入口地址 0x00402440 声明校验值 0x00000000 实际校验值 0x0002d936 最低操作系统版本要求 4.0 编译时间 2015-04-18 12:14:38 图标 图标精确哈希值 f3a24b1c0741ec88fdd56e6cf54b7268 图标相似性哈希值 68596f9ce6126103742256136f4102e9 导出DLL库名称 Install.dat 版本信息 LegalCopyright: InternalName: FileVersion: 2.00 CompanyName: UPDATE PrivateBuild: LegalTrademarks: Comments: MTT ProductName: SpecialBuild: 2.00 ProductVersion: 2.00 FileDescription: WINDOWS UPDATE OriginalFilename: Translation: 0x0804 0x04b0 PE数据组成 名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy) .text 0x00001000 0x0000543a 0x00006000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.16 .rdata 0x00007000 0x00000e01 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.27 .data 0x00008000 0x0001b1bc 0x0001b000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 6.41 .rsrc 0x00024000 0x00001480 0x00002000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.69 覆盖 偏移量: 0x00025000 大小: 0x00001e38 资源 名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型 RT_ICON 0x000243c0 0x000010a8 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 5.02 data RT_GROUP_ICON 0x00025468 0x00000014 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 1.78 MS Windows icon resource - 1 icon RT_VERSION 0x000240f0 0x000002d0 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.28 data 导入 库 KERNEL32.dll: • 0x407000 - HeapFree • 0x407004 - GetProcessHeap • 0x407008 - HeapAlloc • 0x40700c - HeapReAlloc • 0x407010 - Sleep • 0x407014 - VirtualAlloc • 0x407018 - VirtualProtect • 0x40701c - VirtualFree • 0x407020 - GetProcAddress • 0x407024 - LoadLibraryA • 0x407028 - IsBadReadPtr • 0x40702c - FreeLibrary • 0x407030 - WriteFile • 0x407034 - GetCommandLineA • 0x407038 - GetStringTypeA • 0x40703c - LCMapStringW • 0x407040 - LCMapStringA • 0x407044 - MultiByteToWideChar • 0x407048 - RtlUnwind • 0x40704c - RaiseException • 0x407050 - GetModuleHandleA • 0x407054 - GetStartupInfoA • 0x407058 - GetVersion • 0x40705c - ExitProcess • 0x407060 - SetUnhandledExceptionFilter • 0x407064 - TerminateProcess • 0x407068 - GetCurrentProcess • 0x40706c - UnhandledExceptionFilter • 0x407070 - GetModuleFileNameA • 0x407074 - FreeEnvironmentStringsA • 0x407078 - FreeEnvironmentStringsW • 0x40707c - WideCharToMultiByte • 0x407080 - GetEnvironmentStrings • 0x407084 - GetEnvironmentStringsW • 0x407088 - SetHandleCount • 0x40708c - GetStdHandle • 0x407090 - GetFileType • 0x407094 - GetEnvironmentVariableA • 0x407098 - GetVersionExA • 0x40709c - HeapDestroy • 0x4070a0 - HeapCreate • 0x4070a4 - IsBadWritePtr • 0x4070a8 - IsBadCodePtr • 0x4070ac - GetCPInfo • 0x4070b0 - GetACP • 0x4070b4 - GetOEMCP • 0x4070b8 - GetStringTypeW 库 USER32.dll: • 0x4070c0 - LoadCursorA • 0x4070c4 - wsprintfA • 0x4070c8 - LoadIconA 导出 序列 地址 名称 1 0x401c70 Ip 投放文件 kvrjlf.exe 文件名 kvrjlf.exe 相关文件 C:\ProgramData\Microsoft\Mxzwq\kvrjlf.exe 文件大小 159288 bytes 文件类型 PE32 executable (GUI) Intel 80386, for MS Windows MD5 fa4955c02390830b26e82cbae5ed66f6 SHA1 68b964e340cb29fb8c94e12a7bf0265e1085d581 SHA256 e110990a7f629e6c0f77ce1909a9ec0a9978f58f754975619bcdaa62b72c29c5 SHA512 4ed0663068126c941ee2eee363abd71520611e62f80bd806634207f3fce099f4046a961161f16877f78b094f72780a339ced3af44a02ca96deef26f572ea8207 Ssdeep 3072:AfPh6t5HWqv0yxmktUXoqRA8F2CfOgiI121a+FA:OE0AmktUXTFF2EOgV121j Yara 无匹配 VirusTotal 搜索相关分析 行为分析 互斥量(Mutexes) -mI\xe5\xb7\xa6,k??W\xe7\xa5\x89\xe5\xab\xbdm\xe6\x88\xaaf,\xe6\x84\xafj\x10/\xe9\xae\x98@s?Nu\xe9\x8a\xaet, DBWinMutex 执行的命令 C:\Windows\system32\cmd.exe /c @ping -n 5 127.0.0.1&del C:\Users\test\AppData\Local\Temp\server.exe > nul C:\ProgramData\Microsoft\Mxzwq\kvrjlf.exe C:\ProgramData\Microsoft\Mxzwq\kvrjlf.exe NewRunApp C:\Windows\system32\PING.EXE ping -n 5 127.0.0.1 创建的服务 Ghijkl Nopqrstu Wxy 启动的服务 Ghijkl Nopqrstu Wxy 进程 server.exe PID: 1960, 上一级进程 PID: 2152 services.exe kvrjlf.exe cmd.exe PID: 452, 上一级进程 PID: 356 PID: 1952, 上一级进程 PID: 452 PID: 792, 上一级进程 PID: 1960 PING.EXE PID: 2788, 上一级进程 PID: 792 kvrjlf.exe PID: 1832, 上一级进程 PID: 1952 访问的文件 C:\ProgramData\Microsoft\Mxzwq C:\Users\test\AppData\Local\Temp\server.exe C:\ProgramData\Microsoft\Mxzwq\kvrjlf.exe C:\Windows\Temp C:\Users\test\AppData\Local\Temp C:\Users C:\Users\test C:\Users\test\AppData C:\Users\test\AppData\Local C:\Users\test\AppData\Local\Temp\ping.* C:\Users\test\AppData\Local\Temp\ping C:\Windows\System32\ping.* C:\Windows\System32\PING.COM C:\Windows\System32\PING.EXE C:\Windows\Globalization\Sorting\sortdefault.nls \??\nul C:\ \??\Nsi 读取的文件 C:\Users\test\AppData\Local\Temp\server.exe C:\Windows\Globalization\Sorting\sortdefault.nls 修改的文件 C:\ProgramData\Microsoft\Mxzwq\kvrjlf.exe \??\nul 删除的文件 C:\Users\test\AppData\Local\Temp\server.exe 注册表键 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ghijkl Nopqrstu Wxy HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Ghijkl Nopqrstu Wxy\Description HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Ghijkl Nopqrstu Wxy\MakeTime HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Ghijkl Nopqrstu Wxy HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Ghijkl Nopqrstu Wxy\ObjectName HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Ghijkl Nopqrstu Wxy\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Ghijkl Nopqrstu Wxy\WOW64 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir HKEY_CURRENT_USER HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData HKEY_USERS\.DEFAULT\Environment HKEY_USERS\.DEFAULT\Volatile Environment HKEY_USERS\.DEFAULT\Volatile Environment\0 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Ghijkl Nopqrstu Wxy\Environment HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Windows HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Windows\NoInteractiveServices HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86) HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86) HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ProgramW6432Dir HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\CommonW6432Dir HKEY_USERS\S-1-5-18 HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun HKEY_CURRENT_USER\Software\Microsoft\Command Processor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DefaultTTL HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock\Parameters HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winsock\Parameters\Transports HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters\Winsock HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TCPIP6\Parameters\Winsock\Mapping HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\Mapping HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock\Setup Migration\Providers HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winsock\Setup Migration\Providers\Tcpip HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winsock\Setup Migration\Providers\Tcpip\WinSock 2.0 Provider ID HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\MinSockaddrLength HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\MaxSockaddrLength HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\UseDelayedAcceptance HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\HelperDllName 读取的注册表键 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Ghijkl Nopqrstu Wxy\ObjectName HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Ghijkl Nopqrstu Wxy\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Ghijkl Nopqrstu Wxy\WOW64 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Ghijkl Nopqrstu Wxy\Environment HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Windows\NoInteractiveServices HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86) HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86) HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ProgramW6432Dir HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\CommonW6432Dir HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DefaultTTL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winsock\Parameters\Transports HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TCPIP6\Parameters\Winsock\Mapping HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\Mapping HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winsock\Setup Migration\Providers\Tcpip\WinSock 2.0 Provider ID HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\MinSockaddrLength HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\MaxSockaddrLength HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\UseDelayedAcceptance HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\HelperDllName 修改的注册表键 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Ghijkl Nopqrstu Wxy\Description HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Ghijkl Nopqrstu Wxy\MakeTime 删除的注册表键 无信息 API解析 msvcrt.dll._strupr msvcrt.dll._strnicmp msvcrt.dll._adjust_fdiv msvcrt.dll._initterm msvcrt.dll._beginthreadex msvcrt.dll.strncmp msvcrt.dll.strncat msvcrt.dll.strchr msvcrt.dll.fopen msvcrt.dll.fwrite msvcrt.dll.fclose msvcrt.dll.exit msvcrt.dll._mbsnbicmp msvcrt.dll.strrchr msvcrt.dll._iob msvcrt.dll.fprintf msvcrt.dll.strcat msvcrt.dll.clock msvcrt.dll.strcmp msvcrt.dll._local_unwind2 msvcrt.dll._except_handler3 msvcrt.dll.time msvcrt.dll.srand msvcrt.dll.printf msvcrt.dll.sprintf msvcrt.dll.strcspn msvcrt.dll.strncpy msvcrt.dll.atoi msvcrt.dll.rand msvcrt.dll.strcpy msvcrt.dll.memcmp msvcrt.dll.??2@YAPAXI@Z msvcrt.dll.memset msvcrt.dll.__CxxFrameHandler msvcrt.dll.free msvcrt.dll.malloc msvcrt.dll.strstr msvcrt.dll.strlen msvcrt.dll._ftol msvcrt.dll.ceil msvcrt.dll.memmove msvcrt.dll.memcpy msvcrt.dll.??3@YAXPAX@Z msvcrt.dll._strcmpi ws2_32.dll.#11 ws2_32.dll.WSAIoctl ws2_32.dll.#12 ws2_32.dll.#57 ws2_32.dll.#3 ws2_32.dll.#18 ws2_32.dll.#16 ws2_32.dll.#23 ws2_32.dll.#52 ws2_32.dll.#9 ws2_32.dll.#4 ws2_32.dll.#21 ws2_32.dll.#20 ws2_32.dll.#8 ws2_32.dll.#6 ws2_32.dll.#116 ws2_32.dll.#115 ws2_32.dll.WSASocketA ws2_32.dll.#19 user32.dll.OpenDesktopA user32.dll.GetThreadDesktop user32.dll.GetUserObjectInformationA user32.dll.OpenInputDesktop user32.dll.SetThreadDesktop user32.dll.CloseDesktop user32.dll.GetKeyState user32.dll.GetAsyncKeyState user32.dll.GetForegroundWindow user32.dll.ExitWindowsEx user32.dll.EnumWindows user32.dll.GetWindowTextA user32.dll.MessageBoxA user32.dll.wsprintfA ole32.dll.CoUninitialize ole32.dll.CoCreateInstance ole32.dll.CoInitialize oleaut32.dll.#6 kernel32.dll.TerminateThread kernel32.dll.Process32Next kernel32.dll.OpenProcess kernel32.dll.Process32First kernel32.dll.QueryDosDeviceA kernel32.dll.lstrcmpiA kernel32.dll.GetLogicalDriveStringsA kernel32.dll.TerminateProcess kernel32.dll.MoveFileExA kernel32.dll.MoveFileA kernel32.dll.GetTempPathA kernel32.dll.GetLongPathNameA kernel32.dll.GetCurrentProcess kernel32.dll.WriteFile kernel32.dll.SetFilePointer kernel32.dll.GetFileSize kernel32.dll.CreateFileA kernel32.dll.ReadFile kernel32.dll.GetSystemInfo kernel32.dll.GetModuleHandleA kernel32.dll.GlobalMemoryStatus kernel32.dll.GetVersionExA kernel32.dll.CreateDirectoryA kernel32.dll.CreateMutexA kernel32.dll.WinExec kernel32.dll.SetThreadPriority kernel32.dll.GetCurrentThread kernel32.dll.SetPriorityClass kernel32.dll.GetEnvironmentVariableA kernel32.dll.GetShortPathNameA kernel32.dll.OpenEventA kernel32.dll.SetFileAttributesA kernel32.dll.CopyFileA kernel32.dll.DefineDosDeviceA kernel32.dll.GetCurrentThreadId kernel32.dll.CreateToolhelp32Snapshot kernel32.dll.InitializeCriticalSection kernel32.dll.DeleteCriticalSection kernel32.dll.VirtualFree kernel32.dll.LeaveCriticalSection kernel32.dll.EnterCriticalSection kernel32.dll.VirtualAlloc kernel32.dll.CreateEventA kernel32.dll.CloseHandle kernel32.dll.WaitForSingleObject kernel32.dll.ResetEvent kernel32.dll.SetEvent kernel32.dll.InterlockedExchange kernel32.dll.CancelIo kernel32.dll.Sleep kernel32.dll.GetTickCount kernel32.dll.GetLocalTime kernel32.dll.OutputDebugStringA kernel32.dll.FreeLibrary kernel32.dll.GetProcAddress kernel32.dll.LoadLibraryA kernel32.dll.lstrcpyA kernel32.dll.lstrcatA kernel32.dll.GetSystemDirectoryA kernel32.dll.FileTimeToSystemTime kernel32.dll.GetSystemTime kernel32.dll.FindFirstFileA kernel32.dll.GetModuleFileNameA kernel32.dll.DeleteFileA kernel32.dll.GetWindowsDirectoryA kernel32.dll.LocalFree kernel32.dll.GetLastError kernel32.dll.HeapFree kernel32.dll.GetProcessHeap kernel32.dll.HeapAlloc kernel32.dll.HeapReAlloc kernel32.dll.VirtualProtect kernel32.dll.IsBadReadPtr kernel32.dll.GetFileAttributesA kernel32.dll.LocalSize kernel32.dll.LocalAlloc kernel32.dll.CreateProcessA kernel32.dll.GetStartupInfoA kernel32.dll.lstrlenA advapi32.dll.RegOpenKeyA advapi32.dll.RegQueryValueExA advapi32.dll.RegCreateKeyA advapi32.dll.RegSetValueExA advapi32.dll.RegCloseKey advapi32.dll.OpenSCManagerA advapi32.dll.OpenServiceA advapi32.dll.DeleteService advapi32.dll.CloseServiceHandle advapi32.dll.ChangeServiceConfig2A advapi32.dll.RegOpenKeyExA advapi32.dll.StartServiceA advapi32.dll.CreateServiceA advapi32.dll.CloseEventLog advapi32.dll.ClearEventLogA advapi32.dll.OpenEventLogA advapi32.dll.RegDeleteKeyA advapi32.dll.RegEnumKeyExA advapi32.dll.RegQueryValueA advapi32.dll.AdjustTokenPrivileges advapi32.dll.LookupPrivilegeValueA advapi32.dll.OpenProcessToken advapi32.dll.RegEnumValueA advapi32.dll.RegCreateKeyExA advapi32.dll.RegDeleteValueA advapi32.dll.CreateProcessAsUserA advapi32.dll.SetTokenInformation advapi32.dll.DuplicateTokenEx advapi32.dll.SetServiceStatus advapi32.dll.RegisterServiceCtrlHandlerA advapi32.dll.StartServiceCtrlDispatcherA advapi32.dll.UnlockServiceDatabase advapi32.dll.LockServiceDatabase iphlpapi.dll.GetIfTable iphlpapi.dll.GetAdaptersInfo wininet.dll.InternetReadFile wininet.dll.InternetOpenA wininet.dll.InternetOpenUrlA wininet.dll.InternetCloseHandle shell32.dll.SHGetSpecialFolderPathA shell32.dll.ShellExecuteA kernel32.dll.GetSystemTimes server.exe.Ip kvrjlf.exe.Ip kernel32.dll.WTSGetActiveConsoleSessionId wtsapi32.dll.WTSQueryUserToken winsta.dll.WinStationQueryInformationW advapi32.dll.LookupAccountSidW sechost.dll.LookupAccountSidLocalW advapi32.dll.CreateWellKnownSid rpcrt4.dll.RpcStringBindingComposeW rpcrt4.dll.RpcBindingFromStringBindingW rpcrt4.dll.RpcStringFreeW rpcrt4.dll.RpcBindingSetAuthInfoExW sechost.dll.LookupAccountNameLocalW rpcrt4.dll.NdrClientCall2 rpcrt4.dll.RpcBindingFree userenv.dll.CreateEnvironmentBlock sechost.dll.ConvertSidToStringSidW sspicli.dll.GetUserNameExW kernel32.dll.SetThreadUILanguage kernel32.dll.CopyFileExW kernel32.dll.IsDebuggerPresent kernel32.dll.SetConsoleInputExeNameW kernel32.dll.SortGetHandle kernel32.dll.SortCloseHandle mswsock.dll.WSPStartup wshtcpip.dll.WSHOpenSocket wshtcpip.dll.WSHOpenSocket2 wshtcpip.dll.WSHJoinLeaf wshtcpip.dll.WSHNotify wshtcpip.dll.WSHGetSocketInformation wshtcpip.dll.WSHSetSocketInformation wshtcpip.dll.WSHGetSockaddrType wshtcpip.dll.WSHGetWildcardSockaddr wshtcpip.dll.WSHGetBroadcastSockaddr wshtcpip.dll.WSHAddressToString wshtcpip.dll.WSHStringToAddress wshtcpip.dll.WSHIoctl ©2016 上海魔盾信息科技有限公司